(1) Field of the Invention
The present invention relates to a technique for recording a digital work on a recording medium, distributing the recording medium, and reproducing the digital work from the distributed recording medium, and in particular to a technique for managing key information for content encryption for protecting the digital work.
(2) Description of the Related Art
Accompanying developments in recent years in techniques such as digital processing, storing, and communication, services that provide digital content such as movies to users by way of sale or rental of large-capacity recording media have become widespread. In addition, systems in which digitized content is broadcast, received by a reception apparatus, stored on a recording medium such as a recordable digital optical disc, and then reproduced by a reproduction apparatus are becoming common.
In providing such a service or system, it is necessary to protect the copyright of the content, and perform reproduction, copying and so on under limitations consented to by the copyright holder, so that the content is not used illegally.
Generally, a digital work is protected in the following way from illegal copying for which the copyright holder has not consented. A recording apparatus encrypts the digital content with an encryption key, and records the encrypted content on a disc. Only a reproduction apparatus that has a decryption key corresponding to the encryption key is able to decrypt the encrypted content. An agreement for copyright protection are determined by the manufacturer of the recording apparatus and the reproduction apparatus etc. in conjunction with the copyright holder, and the manufacturer obtains the encryption key or the decryption key (hereinafter simply referred to as “the key”), on the condition that the manufacturer adheres to the agreement. The manufacturer must manage the obtained key stringently so that it is not divulged to a third party.
However, even when the manufacturer manages the key stringently, there is a possibility that a third party will obtain the key illegally. Once the key has been exposed by the third party, the third party may circulate the key, manufacture a recording and/or reproduction apparatus that uses the content illegally, or create a computer program that uses the content illegally and distribute the computer program via the Internet, without regard for the agreement consented to by the manufacturer and the copyright holder. It is desirable that in such a case the copyright holder is able to make content that is provided after the key has been exposed unusable with the exposed key.
The following is the simplest method that responds to this desire.
The key management organization (hereinafter simply referred to as “the organization”) has a set of keys that consists of a plurality of device keys and a plurality of media keys. The organization assigns one of the device keys and a device key identification number respectively to each of a plurality of recording apparatuses and a plurality of reproduction apparatuses, and then provides each recording apparatus and reproduction apparatus with the respective device key and device key identification number. In addition, the organization assigns one media key to a recording medium. Next, the organization encrypts the media key, using each of the device keys assigned to the recording apparatuses and the reproduction apparatuses, to generate encrypted media keys, and stores a list of the encrypted media keys corresponding to all the device keys, and the key identification numbers on the recording medium as key information. When the recording medium is loaded into a recording apparatus or a reproduction apparatus, the apparatus extracts the encrypted media key corresponding to the key identification number assigned to the apparatus itself, from the key information in the recording medium, and decrypts the extracted encrypted media key, based on the device key that is assigned to the apparatus itself, to generate the media key. Next, the recording apparatus encrypts content using the obtained media key, and records the resulting encrypted content on the recording medium. On the other hand, the reproduction apparatus decrypts encrypted content in the same way, using the obtained media key. In this way, if a recording apparatus or a reproduction apparatus has a legitimately assigned device key, it is always able to obtain the same media key from the recording medium, thus maintaining compatibility between devices.
Here, suppose that the device key of a particular recording apparatus or reproduction apparatus has been exposed. When storing key information on a new recording medium after the device key has been exposed, the organization creates key information that does not include the exposed device key, and stores the created key information on the recording medium. In this way, an illegitimate apparatus that knows the exposed device key is unable to obtain the correct media key from the key information, because an encrypted media key encrypted using the exposed device key is not included in the key information stored in the recording medium. As a result, the illegitimate apparatus is unable to use the content illegally. For example, if the illegitimate apparatus is a recording apparatus, encrypted content recorded using that recording apparatus is not encrypted using the correct key, therefore the encrypted content cannot be decrypted using a legitimate reproduction apparatus. Furthermore, if the illegitimate apparatus is a reproduction apparatus, that reproduction apparatus is unable to obtain the correct media key, and is therefore unable to correctly decrypt encrypted content that has been recording using a legitimate recording apparatus. In this way, an exposed key can be revoked.
However, a defect in this simple method is that the size of the data of the key information is unrealistically large when there is a great number of apparatuses. For example, suppose that a particular type of digital device becomes widespread throughout the world, and billions of the particular device exist in the world. If the encryption algorithm used in generating the above-described encrypted content is the American standard encryption triple DES encryption, the length of one media key including padding will be 16 bytes. Consequently, the size of an encrypted media key will also be 16 bytes. Furthermore, if a four-byte value is used as the key identification number, the size of the key information will be 20 bytes*one billion apparatuses=20 billion bytes=20 giga bytes. This large value is unrealistic considering the capacity of current recordable optical discs.
In this kind of system it is a condition that the size of key information recorded on a recording medium be very small compared to the capacity of the recording medium.
One example of a system that meets this condition is a digital work protection key management method that uses a tree structure, disclosed in Document 1“Digital Content Hogo-you Kagi Kanri Houshiki (Key Management Method for Protecting Digital Content)”, Nakano, Omori and Tatebayashi, Symposium on Cryptography and Information Security 2001, SCIS2001, 5A-5, January 2001.
Before describing the method disclosed in Document 1, a brief description is given of a tree structure.
In terms of form, the tree structure is a finite set T that is composed of at least one node, and is defined as meeting the following conditions.
(a) Only one node is designated as a root of the tree structure.
(b) Other nodes (excluding the root) are divided into sets T1, . . . , Tm that do not have m (m≧0) common parts. Each Ti(i=1, . . . , m) is a further tree structure whose height is “1” less than T. The tree structures T1, Tm are subtrees of the of the root.
Furthermore, the numbers of the levels (layers) in the tree structure T are defined in the following way. The root of T is level 0. Taking an example of a subtree Tj that is a subtree of the root T, the level of the root Tj is one greater than T.
The following describes the digital work protection key management method that uses a tree structure disclosed in Document 1.
In this key management method, the organization constructs, as one example, a binary tree structure having four layers, and generates a number of keys that is equal to the number of nodes in the constructed tree structure. Each generated device key is assigned to a node in the tree structure. The organization corresponds each player (hereinafter “player” refers to the above-described reproduction apparatuses) with a leaf in the tree structure, and distributes one set of device keys to each player that is corresponded one-to-one with one of the leaves. The set consists of a plurality of device keys that are assigned to the nodes on the path from the corresponding leaf through to the root. In this way, a different device key set is distributed to each player.
Here, when a device key set that has been assigned to one player is exposed, the organization deletes the nodes to which the device keys included in the exposed device key set are assigned. Then, the organization specifies the keys that are common to the greatest numbers of players, amongst the players whose device keys have not been exposed, as the next device keys to be used.
Document 1 shows that according to this method key information of approximately 3 MB will suffice if an arbitrary 10,000 of the billion players are to be revoked.
Document 2 “Manipulation of Trees in Information Retrieval” (G. Salton, Communication of the ACM 5, 1962), and Document 3 “Kihon Sanhou/Jouhou Kouzou (Basic Algorithms/Information Structure)”, Knuth, trans. Yoneda & Kakehi, Saiensu-sha, 1978, disclose methods of expressing a tree structure linearly. The tree structure is expressed linearly by arranging each node in the tree structure according to a particular rule. For example, p. 136 of Document 3 shows the order in which the levels are arranged. According to this method, the levels are arranged in order from lowest to highest, and the nodes in each level are arranged in order from left to right. By arranging the nodes according to a specific kind of rule, the player is able to construct a tree structure from the linearly arranged information.
While the size of the key information recorded in the recording medium in this key management method for digital work protection does meet the condition of being very small compared to the capacity of the recording medium, there is a demand for the player to be able to efficiently determine the key assigned to the player in the event that the keys in the constructed tree structure include a revoked key.